IT Security at Bertelsmann - Bertelsmann SE & Co. KGaA

Information about the international media enterprise and it's corporate divisions RTL Group, Penguin Random House, Gruner + Jahr, Arvato; detailed information for journalists in the Bertelsmann SE & Co. KGaA's Press Center as well as everything about Corporate Responsibility activities at Bertelsmann.

Gütersloh, 05/12/2016

IT Security at Bertelsmann

Damian Baran (RTL Group), Ian Williamson (BMG), Wesley Harrison (Penguin Random House), Mark Dennis Kellermeier (Corporate Center), Bernd Nottelmann (G+J), Stefan Miernik (arvato), Jens Hickmann (RTL Group), Jan Becker (Corporate Audit), Christopher Herzog (Corporate Center), Claudia Gutting (G+J), Michael Krull (Corporate Center), Carsten Bittner (Corporate Center), Josef Malik (Corporate Center) (f. l.)

Subject: Media & Services
Country: Germany
Category: Project

There is no question that the digitization of a company brings tremendous opportunities, but it also brings new risks – particularly with regard to data security. The very ability to make information available accurately, securely and confidentially, and to process it smoothly is often a crucial competitive factor. At the same time, there are increased opportunities for cyber criminals to operate ever more professionally - and therefore more dangerously. This presents a major challenge for the public and private sector. We spoke with Carsten Bittner, who as Chief Information Security Officer is responsible for information security and IT governance at Bertelsmann, about how things stand regarding IT security at Bertelsmann.

Mr. Bittner, lately hacker attacks and data theft in the public and private sector have increasingly made the headlines. The damage incurred is often considerable. What is the state of information security at Bertelsmann?

Carsten Bittner: Bertelsmann has made tangible progress on information security in recent years. With our Information Security Management System, we've created an exemplary framework that now needs to be fleshed out. We work closely and purposefully with all divisions on joint, cross-divisional measures. In addition, there are a number of individual measures in place at our companies that are making things harder for cyber criminals. But defense against cyber-attack remains a challenge, because both sides are constantly expanding and upgrading their arsenal.

How does this manifest itself?

Carsten Bittner: We're seeing a growing number of targeted attacks that are also becoming more and more professional. The methods used are developing rapidly in line with state-of-the-art technology. So we're essentially in a race in which standing still means falling behind, and constantly need to improve ourselves as a result. It's also challenging that an attacker only needs to find one loophole, whereas we need to identify and secure a whole slew of loopholes. This “weapons inequality” lies at the heart of the challenge.

How do you find out where the greatest vulnerabilities lie and how do you ensure that they are eliminated?

Carsten Bittner: We use the structures we've established across Bertelsmann in recent years under what we call the ISMS (Information Security Management System). We regularly check the security of our digital assets for loopholes. This includes such things as contract and customer data, but also media content, as well as process and financial information. In each case this takes place at company level, involving a company executive and the information security officer. Risks are evaluated according to how critical they are and how expensive it would be to fix them. Depending on the result, they are then either addressed or accepted as part of the business. This approach ensures that we systematically eliminate the biggest weak points first.

What are the cyber criminals' objectives and what damage do they inflict?

Carsten Bittner: The resulting damage can be difficult to quantify. First, it's difficult enough to calculate the damage caused by a known incident as it involves indirect effects such as image damage as well as direct impacts, such as the failure of IT systems. Secondly, the number of unreported cases is high. For example, data breaches often go unnoticed. In addition to the theft of sensitive data, hackers often attempt to blackmail their victims. For example, malware is planted in a computer that encrypts important business data, and the key will be issued only upon payment. There is also fraud and identity theft, i.e. stealing passwords or other login information. Both are regularly used to trigger payments from company accounts to foreign accounts abroad. Here it helps to specifically raise employee's awareness of the security issue.

What can we do at Bertelsmann to build employee awareness about information security?

Carsten Bittner: The most important thing is to build awareness among our coworkers. All too often, digital naivety still prevails – and it is shamelessly exploited. So building awareness among employees is one of our absolute top priorities. No technology in the world can replace circumspect employee behavior. Because we know this, we set up a cross-divisional working group and have developed a customized new training course that addresses typical situations in everyday working life and increases awareness of the information security issue. The course is aimed at all employees. We will launch it soon.

You often refer to attacks, cybercrime and data theft. Doesn't this stand in direct competition to the seemingly unlimited possibilities and objectives of digital themes such as big data analytics, the Internet of Things, machine learning, etc.?

Carsten Bittner: I wouldn't call it competition as we are ultimately pursuing the same goals: to make the opportunities of digital technologies available for innovative businesses. And in such a way that our digital crown jewels are protected at the same time. Of course this also leads to discussions, such as when certain minimum requirements are not met for the sake of speeding up the implementation of a project. In most cases, we work very well and closely with the businesses. Information security is not an end in itself – it's also a way to make sure that the businesses to enjoy sustained success. We support the businesses and in no way see ourselves as information security police officers.